oauth-apiserver: audit log oauthaccesstokens if fresh 4.6 install

openshift · Sep 15, 2020 · 8da31ae · 8da31ae
1 parent 32c3b69
commit 8da31ae
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
@@ -604,12 +604,25 @@ func prepareOauthAPIServerOperator(ctx context.Context, controllerContext *contr
 		return err
 	}
 
+	operatorConfig, err := operatorCtx.configClient.ConfigV1().APIServers().Get(ctx, "cluster", metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+
+	// TODO(4.7): switch over to secure access-token logging by default and delete old non-sha256 tokens
+	auditPolicyPathGetterWithAccessTokenLogs := func(profile string) (string, error) {
+		if operatorConfig.Annotations["oauth-apiserver.openshift.io/secure-token-storage"] == "true" {
+			return auditPolicyPathGetter("secure-oauth-storage-" + profile)
+		}
+		return auditPolicyPathGetter(profile)
+	}
+
 	configObserver := oauthapiconfigobservercontroller.NewConfigObserverController(
 		operatorCtx.operatorClient,
 		operatorCtx.kubeInformersForNamespaces,
 		operatorCtx.operatorConfigInformer,
 		operatorCtx.resourceSyncController,
-		auditPolicyPathGetter,
+		auditPolicyPathGetterWithAccessTokenLogs,
 		controllerContext.EventRecorder,
 	)